How to Know When Your Security is Going Stale: The Principle of Mitigation Effectiveness

You can keep your security at a "state of the art' level despite the ever-changing and advancing world of IT solutions by using the techniques of Mitigation Effectiveness analysis.

In my last article, about the Principle of Imminent Obsolescence, I discussed how any given security mitigation can, and will, eventually go obsolete based on changes in the environment happening around them. The question then becomes: how can we tell when a mitigation is maintaining or losing its effectiveness? How can we tell when it's time to double-down on something that's working well for us, or divest of something that may not be what you need any more to maintain a secure environment?

A Sample Case Study: When to do a Mitigation Effectiveness Analysis

Recently I had a call from a client—they came to me asking for advice on which next generation firewall product would be the best choice for their environment because, I was told, “We are going to spend about $2M on these firewall upgrades this year and need to know we're buying the best brand for our needs.”

Apparently, they had already gone to two security technology resellers – and the resellers were more than happy to help them spend $2M on these new firewalls. When the time came to cut the purchase order, the CIO and CFO came back the CISO and said, “Please go check with our Security Consultant first and get his input - make sure we’ve got the right products in mind.”
When the CISO and I had our call, I started the conversation by asking him a simple question that the resellers had apparently not asked: “Why do you think you need to spend $2M on these firewalls? What has changed in the environment that this is now a necessary expense when you are working on so many other issues?”

His response: “The Audit Team is telling us the maintenance contracts on the original firewalls are coming due, and we need to upgrade the firewalls now.” OK, understood—so we went and talked to the Audit Team, and asked them, “What technical requirements were driving the $2M firewall upgrade?”

The Audit Team’s answer was disconcerting at best: “The firewall vendor told us it needs to be done.&edquo; OK—full stop—the company was about to spend $2M on firewall upgrades because the firewall vendor said it was necessary? It was time for a Mitigation Effectiveness analysis!

The Process: The Art of the Effective Use of Corporate Threat Modeling

We proceeded by working with the client to go over the original environment requirements that drove the purchase and installation of the two firewalls in place today. To get clarity on the firewalls’ original effectiveness, we performed a quick threat model analysis of that original environment so that we had a proper baseline comparison point.

At the time of installation 5 years ago, the company had been running completely out of one datacenter, with only corporate owned and managed end clients, with complete consolidation of storage, business systems, back office ops and web presence in that one consolidated datacenter environment. Therefore, at the time of installation, those two firewalls were very successfully covering 95% of all dataflows for the company

We then developed a complete Security Strategy analysis and threat model for their current environment today - including the company’s plans for the near future. The company had either moved—or was in the process of moving—back office ops to the cloud to Office 365, and moving all CRM to Salesforce. They were becoming heavy users of cloud data storage, and had recently adopted a BYOD program for end-client operations. The developer team had already shifted to Microsoft Azure for their development environment, and were in the process of migrating all corporate apps to that platform. The company’s future was to divest in the expensive datacenter over the next 5 years and drastically reduce corporate owned end client purchasing.

Because of these planned changes in the corporate IT model, those same two firewalls were now only protecting an average 15% of the corporate dataflows—all due to the company growth and adoption of new tech and the changing the nature of their threat model for the business!

Were the two firewalls obsolete? No, they were still being effective protecting the remaining data-center web servers, cloud connectors, etc., during these new transitions. Did they need to be upgraded to the tune of $2M? Absolutely not. They were doing fine as-is—and the new threat models showed that there were several other types of new security mitigations that needed to be deployed, AND several other security mitigations that were approaching the point of Imminent Obsolesce and needed to be divested of!

By using the techniques of Mitigation Effectiveness Analysis, we could help the company avoid a very expensive and unnecessary expenditure, make a solid plan to protect the current and future environment based on BUSINESS GOALS, and—in the process—identify several other mitigations that needed to be retired over time. Finally, the Security Strategy and Mitigation Effectiveness Analysis helped them laser focus on the proper security solutions moving forward. The world of IT is in constant flux - and therefore Security Solutions need to be considered under the same amount of flux.

Security executives and their staff cannot afford to be frivolous with time, resources, and especially budget. The goal for the Security Executive is—first and foremost—to be a BUSINESS partner. If the CISO can understand where the business is today—and if they are “in the loop” and well informed as to where the business is going—they can keep the corporate threat models fresh, and stay ahead of the wave of security threats that are inevitably coming. There will always be security threats that will take the IT Security world by surprise—this is inevitable—and therefore it is imperative to adopt the principles of Mitigation Effectiveness Modeling and Imminent Obsolescence to be ahead of the wave that comes.

About the Author

Elliot is a thought leader with over 25 years in executive management. He's served as a leading Cybersecurity research analyst; Chief Security Architect at the office of the CTO at Dell; Director of Strategic Services, Security, and Identity at Cisco Systems; Chief Information Security Officer (CISO) of Merrill Lynch; and Senior Security Architect, Security Center of Excellence for Microsoft.